Permission based resource and service discovery

ABSTRACT

Current discovery mechanisms lack capabilities, such as capabilities related to permissions associated with a given registrant for example. In an example embodiment, a registrant of a service layer can communicate with a network node that hosts the service layer. The network node may receive a discovery request for a resource from the registrant. The discovery may request include various context. For example, the context of the discovery request may be indicative of an operation that the registrant intends to perform on the resource, a role that the registrant intends to assume if the registrant accesses the resource, a location in which the registrant intends to access the resource, or a subscription plan that the registrant intends to use if the registrant accesses the resource. Based on the context of the discovery request, the network node may determine whether one or more resources at the service layer satisfy the discovery request.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a National Stage Application filed under 35 U.S.C.371 of International Application No. PCT/US2015/060608, filed Nov. 13,2015, which claims the benefit of U.S. Provisional Patent ApplicationSer. No. 62/079,972, filed Nov. 14, 2014, the disclosure of which ishereby incorporated by reference as if set forth in its entirety herein.

BACKGROUND

From a protocol stack perspective, service layers are typically layeredon top of existing network protocol stacks. A service layer may be asoftware layer that hosts resources and services. A service may refer toa set of software functionalities that are accessed via a supportedinterface. A resource generally refers to an addressable entity having arepresentation that may be manipulated via various commands. Thus,service layers can provide value-added services to client applicationsand other services, and service layers are often categorized as“middleware” service layers. For example, FIG. 1 depicts an examplenetworking protocol stack 100 that depicts a service layer 22 betweenapplications 20 and various networking protocols 102, such asapplication protocols 104. In accordance with the example depicted inFIG. 1, the service layer 22 can support value-added servicecapabilities through a set of application programming interfaces (APIs)and underlying networking interfaces. By way of another example, theservice layer 22 can be layered directly over a transport protocol 106,such as transmission control protocol (TCP) or user datagram protocol(UDP) for example. By way of yet another example, the service layer 22can be layered directly over a protocol that is not in accordance with arepresentational state transfer (RESTful) architecture, which can bereferred to as a non-RESTful protocol, such as simple object accessprotocol (SOAP) for example.

A node or entity may register to a service layer. The terms node andentity are used interchangeably herein, without limitation, unlessotherwise specified. A node or entity that registers to a service layermay be referred to as a service layer registrant. Entities that mayregister to a given service layer may include, for example, anindividual service, an application, or another instance of the servicelayer. Existing service layers may support some discovery mechanisms.Such discovery mechanisms allow registrants of a given service layer toquery the given service layer to find resources that are hosted by thegiven service layer. Such discovery mechanisms, however, lackcapabilities, such as capabilities related to permissions associatedwith a given registrant for example.

SUMMARY

Described herein are methods, device, and systems for permission-basedresource and service discovery. In an example embodiment, a systemincludes a registrant, which may include an application or a commonservices entity for example, that communicates with a network node thathosts a service layer, which can be referred to as a common servicesentity. The network node may receive a discovery request, from theregistrant, for a resource, for instance a resource that the registrantis not authorized to access. The discovery may request include variouscontext. For example, the context of the discovery request may beindicative of at least one of an operation that the registrant intendsto perform on the resource, a role that the registrant intends to assumeif the registrant accesses the resource, a location in which theregistrant intends to access the resource, and a subscription plan thatthe registrant intends to use if the registrant accesses the resource.Based on the context of the discovery request, the network node maydetermine whether one or more resources at the service layer satisfy thediscovery request. The network node may send a discovery response to theregistrant, wherein the discovery response indicates a result of thedetermination of whether the one or more resources satisfy the discoveryrequest. When the one or more resources do not satisfy the discoveryrequest, the network node may send at least one resource to theregistrant such that the registrant can obtain permission to access theat least one resource. When the one or more resources satisfy thediscovery request, the network node may send the one or more resourcesto the registrant.

BRIEF DESCRIPTION OF THE DRAWINGS

A more detailed understanding may be had from the following description,given by way of example in conjunction with the accompanying drawingswherein:

FIG. 1 is a depiction of an example protocol stack that includes aservice layer;

FIG. 2 is a system diagram that depicts an example deployment ofinstances of the service layer;

FIG. 3 depicts an example oneM2M architecture;

FIG. 4 depicts an example configuration of the oneM2M architecture;

FIG. 5 is a block diagram that depicts example common servicefunctionalities of the oneM2M architecture;

FIG. 6 is a call flow that illustrates an example of oneM2M resourcediscovery;

FIG. 7 illustrates an example of an oneM2M access controls;

FIG. 8 is a block diagram that illustrates an example of an OMA LWM2Marchitecture;

FIG. 9 illustrates an example system that lacks permission-basedresource discovery;

FIG. 10 is a flow diagram that illustrates an example ofpermission-based resource and service discovery in accordance with anexample embodiment;

FIG. 11 is a call flow that illustrates an example of permission-basedresource and service discovery using example permission-based discoveryfilter criteria;

FIG. 12 is a call flow that illustrates another example ofpermission-based resource and service discovery using examplepermission-based discovery request parameters;

FIG. 13A is a system diagram of an example machine-to-machine (M2M) orInternet of Things (IoT) communication system in which one or moredisclosed embodiments may be implemented;

FIG. 13B is a system diagram of an example architecture that may be usedwithin the M2M/IoT communications system illustrated in FIG. 13A;

FIG. 13C is a system diagram of an example M2M/IoT terminal or gatewaydevice that may be used within the communications system illustrated inFIG. 13A;

FIG. 13D is a block diagram of an example computing system in whichaspects of the communication system of FIG. 13A may be embodied;

FIG. 14A is an example graphical user interface (GUI) for definingpermission based resource or service discovery criteria in accordancewith an example embodiment; and

FIG. 14B is an example GUI that can render results based on thediscovery criteria defined using the GUI depicted in FIG. 14A inaccordance with an example embodiment.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

The ensuing detailed description is provided to illustrate exemplaryembodiments and is not intended to limit the scope, applicability, orconfiguration of the invention. Various changes may be made in thefunction and arrangement of elements and steps without departing fromthe spirit and scope of the invention.

Referring generally to FIGS. 13A and 13B, which are described in moredetail below, an example machine-to-machine (M2M), Internet of Things(IoT), or Web of Things (WoT) communication system 10 can include aplurality of devices, such as a plurality of machine-to-machine (M2M)devices for example, and a service layer 22 that can communicate withthe M2M devices via communication network 12. As used herein, an M2Mdevice may refer to any device that communicates in a network, such as agateway device 14 or terminal (endpoint) devices 18 for example. Each ofthe M2M gateway devices 14 and M2M terminal devices 18 may be configuredto transmit and receive signals via the communication network 12 ordirect radio link. The M2M devices 18 may also receive data from an M2Mapplication 20 or another M2M device 18. Further, data and signals maybe sent to and received from the M2M application 20 via the M2M servicelayer 22.

It will be understood that the M2M service layer 22 may communicate withany number of M2M applications, M2M gateway devices, M2M terminaldevices, and communication networks as desired. The M2M service layer 22may be implemented by one or more servers, computers, or the like. Theservice layer 22 can provide various services and capabilities to theM2M applications 20, M2M gateway devices 14, and M2M devices 18. The M2Mservice layer 22 may be implemented as a software middleware layer(above the IP stack 102 in FIG. 1) that supports value-added servicesfor M2M applications and devices through a set of ApplicationProgramming Interfaces (APIs) and underlying networking interfaces. Forexample, the service layer 22 may be a software layer that hostsresources and services that are made available to registrants of theservice layer 22 via the set of APIs and underlying networkinginterfaces. A service may generally refer to a set of relatedfunctionalities that are accessed via an interface. As used herein,unless otherwise specified, a resource may refer to any addressableentity that has a representation that can be manipulated. For example,resource representations can be manipulated via RESTful mechanisms, suchas Create, Retrieve, Update, or Delete for example. A registrant of agiven service layer (service layer registrant) may refer to any entitythat is registered to the service layer. Thus, for example, registrantsmay include applications, individual services, other instances of theservice layer, or the like. For convenience, unless other specified, theterms resource and service are used interchangeably, and thus a resourcecan include a service and a service can include a resource.

M2M service layers can be deployed on various M2M nodes, such asservers, gateways, and devices for example. As used herein, unlessotherwise specified, an M2M node, which can also be referred togenerally as a network node, refers to any device, gateway, or serverwithin an M2M network, such as the M2M system 10 for example. An M2Mnode may refer to any addressable entity within a network that hostsresources or services. Thus, a node may refer to a physical entity(e.g., a device, gateway, or server), a virtual entity (e.g., a virtualmachine, or a combination thereof that resides within a network.

Referring now to FIG. 2, an example M2M system or network 200 representsan example deployment scenario for the service layer 22. As shown, theinstances of the service layer 22, which can be referred to as servicelayer instances 22, can be deployed on various network nodes, such asgateways 14 and servers 202 for example. Thus, the service layer 22 canprovide services to network applications, device applications, and/orvarious network nodes for example. In accordance with the illustratedexample, the network 200 includes a device application domain 204, anetwork services domain 206, and a network application domain 208. Thenetwork application domain 208 may include various applications 20 andusers of the applications 20. The network services domain may includevarious servers 202 that are accessible to the applications 20 via acommunications network 12, which can be an operator network, a cloudnetwork, the Internet, or the like. The servers 202 may communicate withvarious access networks 212, and thus to various M2M devices 18, viagateway devices 14. Example M2M devices 18 include, as shown and withoutlimitation, sensors, actuators, RFID tags, and virtual objects. Variousembodiments described herein refer to the system 200 or its componentsfor convenience. It will be appreciated that the example system 200 andportions thereof are simplified to facilitate description of thedisclosed subject matter and is not intended to limit the scope of thisdisclosure. Other devices, systems, and configurations may be used toimplement the embodiments disclosed herein in addition to, or insteadof, a system such as the system 200, and all such embodiments arecontemplated as within the scope of the present disclosure.

By way of further background, an M2M/IoT service layer, for instance theM2M service layer 22, is an example service layer that may bespecifically targeted toward providing value-added services for M2M/IoTtype devices and applications. There are multiple M2M architectures withservice layers, such as European Telecommunications Standards Institute(ETSI) M2M service layer discussed in draft ETSI TS 102.690 1.1.1(2011-10), the Open Mobile Alliance (OMA) Lightweight M2M service layerdiscussed in draft version 1.0—14 Mar. 2013, and the oneM2M servicelayer discussed in oneM2M-TS-0001 oneM2M FunctionalArchitecture-V-0.1.2. M2M service layer architectures (e.g., ETSI M2M,OMA LWM2M, and oneM2M). As mentioned above, an M2M service layer canprovide applications and devices access to a collection of M2M centriccapabilities supported by the service layer. A few examples ofcapabilities include, presented without limitation, security, charging,data management, device management, discovery, provisioning, andconnectivity management. These capabilities are made available toapplications via APIs that can make use of message formats, resourcestructures, and resource representations supported by the M2M servicelayer.

A goal of oneM2M is to develop technical specifications for a common M2Mservice layer that can be readily embedded within various hardware andsoftware platforms. Such an M2M service layer may be relied upon toconnect a variety of devices in the field with M2M application serversworldwide. Referring also to FIG. 3, the oneM2M services layer supportsa set of Common Service Functions (CSFs), which can be referred togenerally as service capabilities. An instantiation of a set of one ormore particular types of CSFs is referred to as a Common Services Entity22 a (CSE), which can also be referred to simply as a service layer 22,that can be hosted on different types of network nodes (e.g.,infrastructure node, middle node, application-specific node). Thesecommon functions are exposed via the Mca, Mcc, and Mcn reference pointsas shown in FIG. 3. The Mca reference point designates communicationflows between an Application Entity (AE) 20 a, which can also bereferred to simply as applications 20, and a CSE 22 a. The Mcc referencepoint designates communication flows between CSEs that are in the sameM2M Service Provider (SP) domain. Communications across Mca and Mcc maytake place via paired Request/Response messages, wherein each requestperforms a specific RESTful operation (e.g., Create, Retrieve, Update,and Delete) upon a resource hosted on the targeted CSE 22 a.

Referring also to FIG. 4, an M2M/IoT/WoT communication system mayinclude the Infrastructure Domain 110 and a Field Domain 112. TheInfrastructure Domain 110 refers to the network side of the end-to-endM2M deployment, and the Field Domain 112 refers to the area networksthat are usually behind an M2M gateway. Mcc' denotes a reference pointthat is used for communication flows between CSEs 22 a that are locatedin the Infrastructure Domain 110 of different M2M service providers(SPs). The Mcn is used between a given CSE 22 a and an underlyingNetwork Services Entity 108 (NSE) for services other than transport andconnectivity. CSEs may be hosted on architectural entities referred toas nodes. A node may refer to a functional entity that hosts a CSE andzero or more AEs. Alternatively, a node may refer to a functional entitythat hosts one or more AEs. The oneM2M architecture supports varioustypes of node configurations, some of which are shown in FIG. 4 by wayof example.

Referring also to FIG. 5, an example set of common service functions 116(CSFs) that are supported by oneM2M is shown. A given CSE 22 a maysupport one or more, for instance all, of the CSFs 116 depicted in FIG.5.

By way of further background, in a typical oneM2M RESTful architecture,CSFs 116 are represented as a set of one or more resources. A resourcerefers to a uniquely addressable entity in the architecture having arepresentation that can be manipulated via RESTful mechanisms such as,for example, Create, Retrieve, Update, and Delete. Resources areaddressed using Universal Resource Identifiers (URIs). A resource maycontain child resources and attributes. A child resource is a resourcethat has a containment relationship with a parent resource. The parentresource representation may contain references to its child resources.The lifetime of a child resource may be limited by the parent's resourcelifetime. Each resource supports one or more attributes that areindicative of information associated with the resource.

Referring now to FIG. 6, oneM2M supports resource discovery mechanismsthat can be used by a registrant 118 to query and find resources orservices hosted by a receiver CSE 22 a. The registrant 118 may include,for example, a CSE 22 a or an AE 20 a. As shown in the example depictedin FIG. 6, oneM2M resource discovery uses a retrieve request that isoriginated by the registrant 118 (who was successfully authenticated andregistered to a CSE at 600). Still referring to FIG. 6, in accordancewith the illustrated example, at 602, the discovery request is sent tothe receiver CSE 22 a. The example discovery request includes anidentity (ID) of the registrant 118, an address of the resource wherethe discovery operation is to begin (e.g., <CSEBase>), and discoveryfilter criteria (fc). The filter criteria describe the rules that theCSE 22 a uses to perform the resource discovery. For example, the rulesmay indicate one or more resource types, a creation time, and one ormore labels that match. An example list of oneM2M filter criteria isshown in Table 1 below. At 604, the CSE 22 a uses the filter criteriawhen processing and searching for resources that match the discoveryrequest. Accordingly, such resources may be referred to as matchingresources. A match occurs when the service layer 22 a finds a resourcethat matches or meets the filter criteria that are specified in therequest that that was sent at 602, and when the registrant 118 hassufficient permissions to access the discovered resource. At 606, inaccordance with illustrated example, one or more matching resources arediscovered, and thus the receiver CSE 22 a sends a successful responseto the registrant 118. A successful response may indicate a list of thematched resources.

By way of example, still referring to FIG. 6, the CSE 22 a can support alabels attribute for each of the resources that it hosts. The labelsattribute can store search string information, such as a “temperaturesensor in Philadelphia, PA.” for example. Based on the labels attribute,the registrant 118 can issue a discovery request (at 602) to the CSE 22a that includes query criteria such as, for example, “labels=temperaturesensor in Philadelphia, PA.” At 604, the CSE 22 a can then query andfind any resources with this matching labels attribute. If any resourcesexist, the CSE 22 a can include discovery information (e.g., an address)for these resources within the response it returns to the registrant 118at 606.

TABLE 1 Condition tag Multiplicity Matching condition createdBefore 0..1The creationTime attribute of the resource is chronologically before thespecified value. createdAfter 0..1 The creation Time attribute of theresource is chronologically after the specified value. modifiedSince0..1 The lastModifiedTime attribute of the resource is chronologicallyafter the specified value. unmodifiedSince 0..1 The lastModifiedTimeattribute of the resource is chronologically before the specified value.stateTagSmaller 0..1 The stateTag attribute of the resource is smallerthan the specified value. stateTagBigger 0..1 The stateTag attribute ofthe resource is bigger than the specified value. expireBefore 0..1 Theexpiration Time attribute of the resource is chronologically before thespecified value. expireAfter 0..1 The expiration Time attribute of theresource is chronologically after the specified value. Labels 0..n Thelabels attributes of the resource matches the specified value.resourceType 0..n The resourceType attribute of the resource is the sameas the specified value. It also allows discriminating between normal andannounced resources. sizeAbove 0..1 The contentSize attribute of the<contentInstance> resource is equal to or greater than the specifiedvalue. sizeBelow 0..1 The contentSize attribute of the <contentInstance>resource is smaller than the specified value. contentType 0..n ThetypeOfContent attribute of the <contentInstance> resource matches thespecified value. Limit 0..1 Limitation the number of matching resourcesto the specified value. Attribute 0..n This is an attribute of resourcetypes (clause 9.6). Therefore, a real tag name is variable and dependson its usage. E.g., creator of container resource type can be used as afilter criteria tag as “creator = Sam”. filterUsage 0..1 Indicates howthe filter criteria is used. E.g., if this parameter is not provided,the Retrieve operation is for generic retrieve operation. If filterUsageis provided, the Retrieve operation is for resource <discovery> (clause10.2.6).

By way of further background, oneM2M access control mechanisms are usedto authorize access for authenticated service layer registrants toresources and/or services hosted by a CSE. For example, before a givenregistrant is authorized to access resources or services hosted by agiven CSE, the registrant is authenticated by the CSE and registered tothe CSE. After authentication and registration, the registrant isauthorized to access the resources or services. Authorization mayinclude allowing authenticated registrants to access resources andservices hosted in a CSE based on provisioned access control policies702 (or permissions) associated with each individual registrant. Theseaccess control policies 702 may be maintained within a oneM2M defined<accessControlPolicy> resource type that supports a ‘privileges’attribute 704, as shown in FIG. 7. The privileges attribute 704 can beconfigured with access control rules (e.g., policies) that define whichauthenticated service layer registrants are authorized to accessresources associated with the <accessControlPolicy> resource.

Referring now to FIG. 8, OMA LWM2M Resource Discovery is now introduced.OMA LWM2M defines a service layer to enable lightweightapplication-layer communication between a LWM2M client 802 that ishosted on a given M2M device 18, and a LWM2M server 804 that can behosted on various nodes, such as an M2M gateway or server for example.An example OMA LWM2M architecture 800 is shown in FIG. 8. One featuresupported by OMA LWM2M is resource discovery. Resource discovery may beused by the LWM2M server 804 to discover the resources, which can alsobe referred to as objects 806, supported by the LWM2M client 802. Suchdiscovery may be performed in a similar manner as oneM2M resourcediscovery is performed. For example, LWM2M discovery may include aretrieve operation (e.g., CoAP GET) with optional filter criteria, asdescribed above.

Referring now to FIG. 9, it is recognized herein that the existingoneM2M defined resource discovery mechanisms allow a given registrant118 to query and find resources hosted by a given CSE 22 a only when theregistrant 118 is authorized to access the resource. Authorization toaccess a resource is granted by the owner of the resource, which istypically another registrant 118 of the CSE 22 a. The owner of theresource grants authorization by updating the corresponding accesscontrol policies of the resource. For example, the owner may update anaccess control list. Thus, only when authorization is given to aregistrant can the registrant discover and subsequently access theresource. It is further recognized herein that the above-describedresource discovery mechanism is problematic at least because it requiresresource owners to know in advance which registrants are going to try todiscover and access their resources. If a resource owner does not knowthat a particular registrant will try to access a particular resourceowned by the resource owner, and the registrant attempts to discover theresource, the resource will not be discovered and accessed by theregistrant. Thus, the resource owner may lose various opportunities,such as income opportunities for example. Further, a registrant may notbe able to function as desired because the registrant might not be ableto discover and access a particular resource.

It is also recognized herein that existing oneM2M resource discoverymechanisms do not provide feedback to registrants regarding thepermissions that the registrants lack. Such permissions may be requiredfor a registrant to discover and access CSE resources that theregistrant desires. Example feedback includes, presented withoutlimitation, a type of permission that a registrant lacks for accessing aspecific resource, contact information of a particular resource owner,etc. It is recognized herein that the lack of such feedback isproblematic at least because it may prevent registrants from detectingif and when they lack the proper authorization to discover and access aparticular resource. The lack of feedback may prevent registrants fromtaking corrective action, such as requesting and obtaining the properauthorization required from a resource owner for example.

The example problems described above are further described withreference to FIG. 9. As shown, a first AE 20 a is hosted on a sensorgateway 14. The sensor gateway communicates with various M2M devices 18that are configured as sensors in an access network 212, for instance aconstrained network. The first AE 20 a is authenticated by andregistered to a oneM2M CSE 22 a. Thus, the first AE 20 a may also bereferred to as a first registrant 118 a. In accordance with theillustrated example, the first AE 20 a stores its sensor readings withinresources hosted by the CSE 22 a. A second AE 20 b is authenticated byand registered to the CSE 22 a to which the first AE 20 a is registered.Thus, the second AE 20 b may also be referred to as a second registrant118 b. In the example, the second AE 20 b is interested in discoveringand accessing sensors that happen to be the same type as those in theconstrained network 212 that are supported by the first AE 20 a. But thefirst registrant 118 a has no prior knowledge or awareness of the secondregistrant 118 b. Thus, in the example, the second registrant 118 b isunable to discover and access the sensor resources in the CSE 22 a atleast because the second registrant 118 b is not authorized to do so bythe first registrant 118 a. Stated another way, the first AE 20 a cannotgrant the second AE 20 b permissions to discover and access the sensorresources. Thus, in the example, the second AE 20 b is unable todiscover and access the sensor resources owned by the first AE 20 a.

As recognized herein, yet another problem with the existing oneM2Mresource discovery mechanisms is that a registrant cannot specify thetype of operations that the registrant intends to perform on adiscovered resource or service (e.g., Create, Retrieve, Update, Delete,Subscribe, Notify, etc.). Further, using existing mechanisms, it isrecognized herein that a registrant cannot specify the role with whichthe registrant intends to access the discovered resource or service(e.g., user or administrator). Further still, using existing mechanisms,it is recognized herein that a registrant cannot specify a location fromwhich the registrant intends to access the resource or service. Furtherstill, using existing mechanisms, it is recognized herein that aregistrant cannot identify a subscription plan with which the registrantintends to use to access the resources or services (e.g., in the casethat the registrant has multiple plans). Without being able to indicatevarious types of information, such as the example information mentionedabove, a CSE may lack proper awareness of the context in which theregistrant intends to access a discovered resource or service whenprocessing a resource discovery request. Without proper context, the CSEmay be unable to determine whether a registrant has the properpermissions to access the resource or service in the way that theregistrant intends to access the resource or services. Thus, forexample, a registrant may fail in accessing resources or services due toinadequate permissions when the registrant attempts to access discoveredresources or services. Such failures may be avoided or curtailed, forexample, if the CSE can take into account various context informationduring the discovery process, and use the context information to furtherqualify the discovery results that are returned to a registrant.

In accordance with an example embodiment, one or more registrants 118may issue permission-based resource or service discovery requests to aCSE 22 a. The requests may include permission-specific parameters and/orfilter criteria. Upon receiving a request, the CSE 22 a can process therequest. The CSE 20 a, as further described below, may returnpermission-based discovery results to a particular registrant 118. Thediscovery results may include a list of one or more individual resourcesor services that meet the specified discovery criteria contained in thediscovery request. The discovery results may include permission relatedinformation that corresponds to the one or more resources or services.The permission related information can be used by the registrant todetermine which of the discovered resources or services the registranthas adequate permissions to access. The registrant may also determinewhich of the discovered resources or services the registrant hasinadequate permissions to access. Thus, based on permission-relatedinformation, a registrant of the service layer 22 can decide whichactions to take. For example, the registrant can identify resources orservices which it does not or does have adequate permissions to access.

For convenience, the example embodiments are generally described hereinin the context of a oneM2M-based service layer (CSE). It will beunderstood that embodiments are not limited to oneM2M, and embodimentsmay be implemented using various service layers of alternativearchitectures, such as OMA LWM2M for example.

Referring now to FIG. 10, an example method that can be performed usinga CSE 22 a is depicted. At 1002, in accordance with the illustratedembodiment, preliminary operations are performed so that a plurality ofregistrants 118 are registered to the CSE 22 a. For example, a firstregistrant 118 a of the plurality of registrants 118 may mutuallyauthenticate with the CSE 22 a, and the first registrant 118 a mayregister to the CSE 22 a. The first registrant 118 a may create one ormore resources or services which are hosted within the CSE 22 a.Alternatively, or additionally, the first registrant 118 a may createlinks to the one or more resources or services that are hosted externalto the CSE 22 a. The CSE 22 a may manage the access control policies forsuch external resources or services. The first registrant 118 a mayconfigure access controls corresponding to the resources or serviceswith a list of one or more access control policies that the CSE 22 a canuse to authorize access to the resources or services. A secondregistrant 118 b of the plurality of registrants 118 may mutuallyauthenticate with the CSE 22 a, and the second 118 b may register to theCSE 22 a.

Still referring to FIG. 10, in accordance with the illustratedembodiment, at 1004, after the second registrant 118 b is authenticatedand registered to the CSE 22 a for example, the second registrant 118 bcan query the CSE 22 a in a permission based manner. For example, thesecond registrant 118 b may query the CSE 22 a to discover resources orservices that the second registrant 118 b desires. Such a query may bereferred to as a discovery request. The desired resources or servicesmay be owned by the first registrant 118 a. The second registrant 118 amay desire to perform operations on the desired resources or services.Within the discovery request, the second registrant 118 can includevarious information that allows the CSE 22 a to qualify a discoveryresponse based on permissions. The discovery request may be sent by thesecond registrant 118 b based on a trigger. For example, the discoveryrequest may be triggered when the second registrant is notpre-provisioned with information (e.g., URI and permissions) associatedwith desired resources or services. Thus, the second registrant maydynamically discover this information via permission based discovery.

In one embodiment, the CSE 22 a can allow a given registrant tooptionally include permission-based filter criteria in a discoveryrequest. The filter criteria can be used by the CSE 22 a to qualifywhether or not a resource or service matches and is included in adiscovery response. For example, Table 2 below defines additional oneM2Mdiscovery filter criteria or conditions, which also can be referred togenerally as discovery parameters or discovery context, that can be usedto support permission-based discovery functionality defined in thisdisclosure. Permission-based discovery requests can include the examplediscovery context listed in Table 2. It will be understood thatalternative discovery context may be included in discovery requests asdesired. The defined discovery context of Table 2 may be used withexisting oneM2M discovery filter criteria to realize permission-baseddiscovery. The tags of Table 2 can be included in the existing oneM2Mfilter criteria request parameter. Alternatively, or additionally, thetags of Table 2 can be included in an additional permission-based filtercriteria request parameter. In an example embodiment, a user can use auser interface to configure a given registrant to specify whichpermission-based filter criteria, such as the criteria in Table 2 forexample, should be included in a permission based-discovery request thatis sent by the given registrant. Thus, a given registrant may beconfigured, via a user interface, such that the context of a discoveryrequest is specified by a user of the registrant.

TABLE 2 Examples of Permission-based Filter Criteria Tags Descriptionpermissions Used to instruct the CSE to include resources or services inthe discovery response that: 1) the registrant has permissions toaccess, or 2) the registrant does NOT have permissions to access E.g.permissions = granted | denied operations Used to instruct the CSE toinclude resources or services in the discovery response on which theregistrant can perform the specified operations. E.g. operations =C|R|U|D|S|N Where C = Create, R = Retrieve, U = Update, D = Delete, S =Subscribe, N = Notify roles Used to instruct the CSE to includeresources or services in the discovery response which the registrant canaccess via the specified roles. E.g. roles = user|administratorlocations Used to instruct the CSE to include resources or services inthe discovery response which the registrant can access from thespecified locations. E.g. locations = home|mobile E.g. locations = <ipaddress1>|<ip address2> subscriptions Used to instruct the CSE toinclude resources or services in the discovery response which theregistrant can access using the specified subscription plan. E.g.subscription = planA

In another example embodiment, additional oneM2M discovery requestparameters can be used instead of or in addition to the permission-basedfilter criteria described above in Table 2. Permission-based discoveryrequests can include the example discovery parameters listed in Table 3,which can also be referred to generally as discovery context. It will beunderstood that alternative discovery parameters may be included indiscovery requests as desired. Further, the example discovery parameterslisted in Table 3 may be used with existing oneM2M discovery requestparameters to realize permission-based discovery. In an exampleembodiment, a user can use a user interface to configure a givenregistrant to specify which permission-based discovery parameters, suchas the parameters listed in Table 3 for example, should be included in apermission based-discovery request that is sent by the given registrant.

TABLE 3 Example Permission- based Discovery Request ParametersDescription targetedOperations The operations (e.g., create, retrieve,update, delete, read, write, subscribe, etc.) that the registrantintends to perform on the discovered resource or service hosted by theCSE. targetedRoles The roles (e.g., user, administrator, etc.) theregistrant intends to be acting as when performs the targeted operationson the discovered resource or service. targetedLocation The location(geo, network, indoor, etc) the registrant intends to access thediscovered resources from. currentSubscription The type or level ofbusiness relationship (e.g., type of subscriber, subscription level,etc.) that the registrant currently has with the CSE's owner orprovider. This can include subscription-based information such as thefees or terms that are part of the registrant's current subscription.newSubscription The type or level of business relationship (e.g., typeof subscriber, subscription level, etc.) that the registrant is willingto upgrade to or enter into in order to access the resource or service.This can include subscription-based information such as the fees orterms that a registrant is willing to agree to in order to access aresource or service.

Referring again to FIG. 10, in accordance with the illustratedembodiment, at 1006, upon receiving the discovery request, the CSE 22 acan determine that the discovery request is a permission-based discoveryrequest. For example, the CSE 22 a may detect the presence of one ormore permission-based filter criteria or request parameters, referred tocollectively as discovery context. Based on detecting a permission-baseddiscovery request, the CSE 22 a can process the discovery request todetermine resources or services match the request. For example, the CSE22 a may compare filter criteria indicated in the discovery request tocorresponding attributes associated with resources or services that theCSE 22 a hosts. By way of further example, the CSE 22 a may comparerequest parameters indicated in the discovery request to correspondingattributes associated with resources or services that the CSE 22 ahosts. Further, the CSE 22 a can compare filter criteria or attributesto corresponding attributes associated with resources or services towhich the CSE 22 a is linked. In some cases, if the resources orservices that are desired by the second registrant 118 b are found(discovered) by the CSE 22 a, the CSE 22 a may check a list of one ormore permissions that are associated with the desired resources orservices to determine whether the discovered resources or services areaccessible to the second registrant 118 b, which can also be referred toas the requesting registrant 118 b. The permissions may be maintained bythe CSE 22 a. It will be understood that any of the described methodsfor defining permissions can be used individually or together in anyappropriate combination.

In some cases, permissions may be implemented as an Access Control List(ACL). If the permissions are implemented as an ACL, the CSE 22 a cansearch the ACL using an identity (ID) of the requesting registrant 118 bthat is associated with the CSE 22 a. The CSE 22 a can search the ACL todetermine if any permissions exist for the registrant 118 b. Ifpermissions that are associated with the registrant 118 b are found, theCSE 22 a can compare the permissions to an operation that the registrant118 b desires to perform on the desired resource or service. If thepermissions allow the desired operation to be performed, for example,the CSE 22 a can include the desired resource or service in thediscovery results. If the permissions do not allow the desiredoperation, or no permissions associated with the requesting registrant118 b exist, the CSE 22 a can omit the desired resource or service fromthe discovery results. In accordance with an example embodiment, the CSE22 a can optionally include information in a discovery response thatnotifies the registrant 118 b that a matching resource or service wasdiscovered (found), but the registrant 118 b currently lacks sufficientpermissions to access the discovered resource or service. Further, theCSE 22 a may specify which permissions the requesting registrant 118 blacks, as described further with respect to 1008 in FIG. 10.

In another example, permissions are implemented as Role Based AccessControls. For example, the CSE 22 a can compare a role that therequesting registrant 118 b has indicated will be assumed to perform adesired operation on/to the discovered resource or service. If thedesired operation is permitted for the specified role, the CSE 22 a mayinclude the resource or service in the discovery results. If theoperation is not permitted for the specified role, or if there are nopermissions that exist for the specified role, the CSE can omit theresource or service from the discovery results. In an exampleembodiment, the CSE 22 a can optionally include information in thediscovery response that notifies the requesting registrant 118 b that amatching resource or service was discovered (found), but the registrant118 b currently cannot access the discovered resource or service usingthe specified role. Further, the CSE 22 a may specify which role isrequired for the registrant 118 b to access the desired resource orservice.

In yet another example embodiment, permissions are implemented asSubscription Based Access Controls. When the permissions are implementedas Subscription Based Access Controls, the CSE 22 a may compare a typeof subscription that the requesting registrant 118 b has to a type ofsubscription that is required to perform the desired operation on thedesired resource or service. If the desired operation is permitted forthe specified subscription type, the CSE 22 a can include the desiredresource or service in the discovery results. If the operation is notpermitted for the specified subscription type, or if there are nopermissions that exist for the specified subscription type, the CSE 22 acan omit the desired resource or service from the discovery results.Further, the CSE 22 a may specify which type of subscription to the CSE22 a is required to access the desired resources or services.

With continuing reference to FIG. 10, in accordance with the illustratedembodiment, at 1008, the CSE 22 a returns a permission-based discoveryresponse to the second registrant 118 b. In the discovery response, theCSE 22 a can inform the second registrant 118 a of which permissions thesecond registrant has and/or lacks to access each of one or more of thediscovered resources or services. For example, at 1006, the CSE 22 a caninclude a description of the second registrant's permissions (or lackthereof) to access one or more resources or services found duringdiscovery. Such permission information can be included by the CSE 22 ain the discovery response that the CSE 22 a sends to the secondregistrant 118 b. Based on permission information, the second registrant118 b can determine which of the discovered resources or services (ifany) the second registrant 118 b has sufficient permissions such thesecond registrant can perform desired operations on the resources orservices. Table 4 below defines additional oneM2M discovery responseparameters that can be used to indicate various permission informationto registrants. Thus, the example discovery response parameters in Table4 may be used to enable permission-based resource discoveryfunctionality described above. It will be understood that alternativediscovery response parameters may be included in discovery responses asdesired, and thus discovery responses are not limited to thepermissioned-discovery response parameters listed in Table 4. In anexample embodiment, a user interface associated with the secondregistrant 118 b can display the permission-based discovery results,such as the parameters listed in Table 4 for example, that are containedin a given response from the CSE 22 a. Thus, based on the response, theuser, via the user interface, may select one or more resources orservices that the user has permission to access. For example, the resultindicated by a discovery response may be displayed by a user interfacesuch that a user of the registrant may select one or more resources, viathe user interface, that the registrant has permission to access.

TABLE 4 Example Permission- based Discovery Response ParametersDescription grantedResources The resources hosted in the CSE that matchthe discovery filterCriteria specified in the discovery request whichthe registrant is allowed to perform grantedOperations on.deniedResources The resources hosted in the CSE that match the discoveryfilterCriteria specified in the discovery request, but the registrant isNOT allowed to access due to a lack of permissions grantedServices Theservices hosted in the CSE that match the discovery filterCriteriaspecified in the discovery request which the registrant is allowed toperform grantedOperations on. deniedServices The services hosted in theCSE that match the discovery filterCriteria specified in the discoveryrequest, but the registrant is NOT allowed to access due to a lack ofpermissions grantedOperations Based on the targetedOperations specifiedin the discovery request, these are the operations (e.g., create,retrieve, update, delete, read, write, subscribe, etc.) that theregistrant is allowed to perform on the discovered grantedResources orgrantedServices hosted by the CSE. deniedOperations Based on thetargetedOperations specified in the discovery request, these are theoperations (e.g. create, retrieve, update, delete, read, write,subscribe, etc.) that the registrant is NOT allowed to perform on thediscovered grantedResources or grantedServices hosted by the CSE.grantedRoles Based on the targetedRoles specified in the discoveryrequest, these are the roles (e.g. user, administrator, etc.) theregistrant has been granted to perform grantedOperations on thegrantedResources or grantedServices. deniedRoles Based on thetargetedRoles specified in the discovery request, these are the roles(e.g. user, administrator, etc.) the registrant has been denied to usewhen accessing the grantedResources or grantedServices. grantedLocationBased on the targetedLocations specified in the discovery request, theseare the locations (geo, network, indoor, etc) the registrant has beengranted to access the discovered resources from. deniedLocation Based onthe targetedLocations specified in the discovery request, these are thelocations (geo, network, indoor, etc) the registrant has been denied toaccess the discovered resources from. requiredSubscription The type orlevel of business relationship (i.e., type of subscriber, subscriptionlevel, etc.) that the registrant must have with the CSE's owner orprovider in order to access the grantedResources or grantedServices.

Still referring to FIG. 10, upon receiving the permission awarediscovery response from the CSE 22 a, the second registrant 118 b candetect whether or not any resources or services exist in the CSE 22 afor which it has sufficient permissions to perform a desired operationon. For example, the registrant 118 b may inspect one or more, forinstance each, of the permission-based discovery response parameterslisted in Table 4 above to determine whether any of the discoveredresources or services are accessible to the registrant 118 b. If theregistrant 118 b is permitted to access at least one of the desired anddiscovered resources and services, the process may proceed to 1012 a,where the second registrant 118 b accesses the resource or service,which may be owned by the first registrant 118 a. Alternatively, if theregistrant 118 b is not permitted to access at least one of the desiredand discovered resources and services, the process may proceed to 1012b, where the registrant 118 b can try to obtain the permissions that arenecessary to access the discovered and desired resource or services. Forexample, the registrant 118 b may use information provided in thepermission-based discovery response (e.g., resource or service owner'saddress, permissions it is lacking, etc.) to obtain necessarypermissions.

Thus, as described above, a system may include a registrant, forinstance the second registrant 118 b, that communicates with a networknode that hosts the service layer 22, which can be referred to as theCSE 22 a. The network node may receive a discovery request for aresource from the registrant. The requested resource may be a resourcethat the registrant is not authorized to access. The discovery requestmay include various context. For example, the context of the discoveryrequest may be indicative of at least one of an operation that theregistrant intends to perform on the resource, a role that theregistrant intends to assume if the registrant accesses the resource, alocation in which the registrant intends to access the resource, and asubscription plan that the registrant intends to use if the registrantaccesses the resource. Based on the context of the discovery request,the network node may determine whether one or more resources at theservice layer satisfy the discovery request. The network node may send adiscovery response to the registrant, wherein the discovery responseindicates a result of the determination of whether the one or moreresources satisfy the discovery request. When the one or more resourcesdo not satisfy the discovery request, the network node may send at leastone resource to the registrant such that the registrant can obtainpermission to access the at least one resource. When the one or moreresources satisfy the discovery request, the network node may send theone or more resources to the registrant.

It will be understood that the entities performing the steps illustratedin FIG. 6 are logical entities that may be implemented in the form ofsoftware (e.g., computer-executable instructions) stored in a memory of,and executing on a processor of, a device, server, or computer systemsuch as those illustrated in FIG. 13C or FIG. 13D. That is, themethod(s) illustrated in FIG. 6 may be implemented in the form ofsoftware (e.g., computer-executable instructions) stored in a memory ofa computing device, such as the device or computer system illustrated inFIGS. 13C or 13D, which computer-executable instructions, when executedby a processor of the computing device, perform the steps illustrated inFIG. 6.

As described above, a registrant that is authenticated by a servicelayer (an authenticated registrant) can initiate permission-based oneM2Mresource or service discovery by including one or more permission-basedfilter criteria, such as the criteria listed in Table 2 for example,within the discovery request it issues to a given CSE 22 a. Uponreceiving the request, the CSE 22 a may determine that the request is apermission-based discovery request by detecting the presence of one ormore of the permission-based filter criteria. Based on the detection,the CSE 22 a can process the discovery request to determine whether anymatching resources or services exist by comparing the filter criteriaand/or request parameters to corresponding attributes associated with ofeach the resources or services that the CSE 22 a hosts. The CSE 22 a canreturn the matching resource or services within the discovery response.In addition, the CSE can also include permission-based discoveryresponse parameters, such as the discovery response parameters depictedin FIG. 4 for example, within the response. Matching resources orservice and permission-based discovery response parameters cancollectively be referred to as permission-based discovery results. Thereceiving registrant can parse the permission-based discovery results todetermine if any resources or services match the filter criteria fromthe discovery request. Further, the receiving registrant can evaluatethe permission-based discovery results to determine whether it hassufficient permissions to access the resources or services that matchthe filter criteria. If the receiving registrant does not have adequatepermissions, the registrant can determine which permissions it islacking from information contained in the discovery response.

FIG. 11 depicts an example of a permission-based discovery performed byan example system 1101 that includes an example registrant 118 (e.g., anAE 20 a or CSE 22 a) and an example service layer 22, such as a CSE 22 afor example. It will be understood that the CSE 22 a may be hosted onany appropriate network node. It will be appreciated that the exampledepicted in FIG. 11 is simplified to facilitate description of thedisclosed subject matter and is not intended to limit the scope of thisdisclosure. Other devices, systems, and configurations may be used toimplement the embodiments disclosed herein in addition to, or insteadof, a system such as the system 1101, and all such embodiments arecontemplated as within the scope of the present disclosure.

Referring to FIG. 11, at 1100, the registrant 118 is authenticated andregisters to the CSE 22 a. In some cases, before the registrant 118 canbe authorized to access resources or services hosted in the CSE 22 a, itmust be successfully authenticated by the CSE 22 a and registered to theCSE 22 a. In some cases, existing oneM2M defined authentication,registration, and access control mechanisms are implemented at 1100. At1102, in accordance with the illustrated embodiment, the registrant 118sends a permission-based resource or service discovery request to theCSE 22 a. Within this request, the registrant 118 a may include existingoneM2M specified parameters, such as the registrant's ID, an address ofthe resource where the discovery operation is to begin (e.g.,<CSEBase>), and discovery filter criteria (fc) (e.g., a label containinga search string of “temperature sensor in Philadelphia, PA”) forexample. As shown, the request may also include permission-baseddiscovery filter criteria, such as the permission-based filter criteriadescribed above. The criteria in the example illustrated in FIG. 11indicate (specify) that the registrant 118 is interested in discoveringresources that 1) the registrant 118 has permissions to access andresources that the registrant does not have permission to access(permissions=granted|denied); the registrant 118 b can perform Retrieve,Subscription, and Notification operations on; 3) the registrant 118 bcan access with a role of ‘admin’; 4) the registrant can access from‘home’; and 5) the registrant can access via its ‘Verizon’ subscriptionplan.

Still referring to the example depicted in FIG. 11, at 1104, the CSE 22a receives the permission-based discovery request and processes theinformation in the request that is provided by the registrant 118. TheCSE 22 a may compare the context information in the request with thetypes of resources and services hosted by the CSE 22 a, and the accesscontrol policies associated with the resources and services hosted bythe CSE 22 a. The CSE 22 a may use the registrant's ID to compare theaccess control policies of each resource it finds that meets thecriteria. In the illustrated example, as a result of the processing at1104 that is based on the ID of the registrant 118, the CSE 22 a finds afirst resource (<CSEBase>/<app01>/<temp_in_Philly) that meets the filtercriteria (e.g., the labels) and the CSE 22 a determines that theregistrant has permission to access the first resource. Further, the CSE22 a determines that the first resource at least partially meets thepermission-based request parameters. Additionally, in the illustratedexample, the CSE 22 a discovers a second resource that meets the filtercriteria (e.g., labels), and the CSE 22 a determines, based on the ID ofthe registrant 118, that the registrant 118 does not have permissionsthat are required to access the second resource(<CSEBase>/<app02>/<Philly_current_temp).

At 1106, in accordance with the illustrated example, the CSE 22 areturns a response to the registrant 118. The response includes thepermission-based service or resource discovery results. Thus, theresponse indicates the first resource that the registrant 118 haspermission to access and the second resource that the registrant 118does not have permission to access. As shown, the CSE 22 a includespermission-based response parameters associated with the first resourceand the second resource. The example permission-based responseparameters indicate the following information to the registrant 118: 1)the registrant 118 has permissions to accessCSEBase>/<app01>/<temp_in_Philly but not<CSEBase>/<app02>/<Philly_current_temp; 2) the registrant 118 haspermissions to perform Retrieve operations toCSEBase>/<app01>/<temp_in_Philly but not subscription or notifications;3) the registrant 118 can access CSEBase>/<app01>/<temp_in_Philly as auser but not an administrator; 4) the registrant 118 can accessCSEBase>/<app01>/<temp_in_Philly from anywhere (not just from home); 5)the registrant 118 can access CSEBase>/<app01>/<temp_in_Philly using itsVerizon subscription plan; and 5) the registrant 118 does NOT havepermissions to access CSEBase>/<app02>/<Philly_current_temp> because theregistrant 118 does not have an Amazon Prime subscription plan. It willbe understood that the above permission-based response parameters arepresented merely for purposes of example, and alternative responseparameters may be used in embodiments described herein as desired.

At 1108, in accordance with the illustrated example, the registrant 118processes the permission-based discovery response to determine whetherany resources or services exist to which the registrant 118 has adequatepermissions to access. In the illustrated example, the registrant 118determines that it has access to the first resource(CSEBase>/<app01>/<temp_in_Philly). The registrant 118 also detects thatit only has permission to perform Retrieve operations on the firstresource, and thus the registrant 118 is not permitted to performsubscription or notification operations on the first resource. Based onthe discovery response, the first registrant also detects that it mustaccess the first resource via a user, and thus not an administrator.Based on the discovery response, a user of the registrant 118 may decideto setup an Amazon Prime account so that the registrant 118 can accessthe second resource (CSEBase>/<app01>/<temp_in_Philly).

Referring now to FIG. 12, in an alternative embodiment, permission-baseddiscovery information can be carried in oneM2M request parameters. Asshown in FIG. 12, the permission-based filter criteria in FIG. 11 may bewith oneM2M request parameters. An authenticated registrant can initiatepermission-based oneM2M resource or service discovery by including oneor more permission-based request parameters, such as the parameterslisted in Table 3 for example, within the discovery request that theregistrant issues to a CSE. Upon receiving the request, a CSE can detectthat it is a permission-based discovery request by detecting thepresence of these permission-based request parameters. Upon thisdetection, the CSE can process the request to determine whether anymatching resources or services exist, for example, by comparing thefilter criteria and request parameters against the correspondingattributes of each of its hosted resources or services. The CSE canreturn the matching resource or services within the discovery response.In addition, the CSE can also include permission-based discoveryresponse parameters within the response, such as the response parameterslisted in Table 4 for example. The registrant can parse thepermission-based discovery results to determine whether any resources orservices match the filter criteria and whether the registrant hassufficient permissions to access them. If permission is insufficient,the registrant can determine which permissions it lacks.

FIG. 12 depicts an example of a permission-based discovery performed byan example system 1201 that includes an example registrant 118 (e.g., anAE 20 a or CSE 22 a) and an example service layer 22, such as a CSE 22 afor example. It will be understood that the CSE 22 a may be hosted onany appropriate network node. It will be appreciated that the exampledepicted in FIG. 12 is simplified to facilitate description of thedisclosed subject matter and is not intended to limit the scope of thisdisclosure. Other devices, systems, and configurations may be used toimplement the embodiments disclosed herein in addition to, or insteadof, a system such as the system 1201, and all such embodiments arecontemplated as within the scope of the present disclosure.

Referring to FIG. 12, at 1100, the registrant 118 is authenticated andregisters to the CSE 22 a. In some cases, before the registrant 118 canbe authorized to access resources or services hosted in the CSE 22 a, itmust be successfully authenticated by the CSE 22 a and registered to theCSE 22 a. In some cases, existing oneM2M defined authentication,registration, and access control mechanisms are implemented at 1100. At1202, in accordance with the illustrated example, the registrant 118sends a permission-based resource or service discovery request to theCSE 22 a. Within this request, the registrant 118 a may include existingoneM2M specified parameters, such as the registrant's ID, an address ofthe resource where the discovery operation is to begin (e.g.,<CSEBase>), and discovery filter criteria (fc) (e.g., a label containinga search string of “temperature sensor in Philadelphia, PA”) forexample. As shown, the request may include contains permission-baseddiscovery request parameters, such as the parameters listed in Table 3for example. The parameters in the example illustrated in FIG. 12indicate (specify) that the registrant 118 intends to: 1) performRetrieve, Subscription and Notification operations on the discoveredresource; 2) access the resources with a role as ‘admin’; 3) access theresources from ‘home’; and 4) access the resources via its ‘Verizon’subscription plan.

Still referring to the example depicted in FIG. 12, at 1204, the CSE 22a receives the permission-based discovery request and processes theinformation in the request that is provided by the registrant 118. TheCSE 22 a may compare the context information in the request with thetypes of resources and services hosted by the CSE 22 a, and the accesscontrol policies associated with the resources and services hosted bythe CSE 22 a. The CSE 22 a may use the registrant's ID to compare theaccess control policies of each resource it finds that meets thecriteria. In the illustrated example, as a result of the processing at1204 that is based on the ID of the registrant 118, the CSE 22 a finds afirst resource (<CSEBase>/<app01>/<temp_in_Philly) that meets the filtercriteria (e.g., the labels) and the CSE 22 a determines that theregistrant has permission to access the first resource. Further, the CSE22 a determines that the first resource at least partially meets thepermission-based request parameters. Additionally, in the illustratedexample, the CSE 22 a discovers a second resource that meets the filtercriteria (e.g., labels), and the CSE 22 a determines, based on the ID ofthe registrant 118, that the registrant 118 does not have permissionsthat are required to access the second resource(<CSEBase>/<app02>/<Philly_current_temp).

At 1206, in accordance with the illustrated example, the CSE 22 areturns a response to the registrant 118. The response includes thepermission-based service or resource discovery results. Thus, theresponse indicates the first resource that the registrant 118 haspermission to access and the second resource that the registrant 118does not have permission to access. As shown, the CSE 22 a includespermission-based response parameters associated with the first resourceand the second resource. The example permission-based responseparameters indicate the following information to the registrant 118: 1)the registrant 118 has permissions to accessCSEBase>/<app01>/<temp_in_Philly but not<CSEBase>/<app02>/<Philly_current_temp; 2) the registrant 118 haspermissions to perform Retrieve operations toCSEBase>/<app01>/<temp_in_Philly but not subscription or notifications;3) the registrant 118 can access CSEBase>/<app01>/<temp_in_Philly as auser but not an administrator; 4) the registrant 118 can accessCSEBase>/<app01>/<temp_in_Philly from anywhere (not just from home); 5)the registrant 118 can access CSEBase>/<app01>/<temp_in_Philly using itsVerizon subscription plan; and 5) the registrant 118 does NOT havepermissions to access CSEBase>/<app02>/<Philly_current_temp> because theregistrant 118 does not have an Amazon Prime subscription plan. It willbe understood that the above permission-based response parameters arepresented merely for purposes of example, and alternative responseparameters may be used in embodiments described herein as desired.

At 1208, in accordance with the illustrated example, the registrant 118processes the permission-based discovery response to determine whetherany resources or services exist to which the registrant 118 has adequatepermissions to access. In the illustrated example, the registrant 118determines that it has access to the first resource(CSEBase>/<app01>/<temp_in_Philly). The registrant 118 also detects thatit only has permission to perform Retrieve operations on the firstresource, and thus the registrant 118 is not permitted to performsubscription or notification operations on the first resource. Based onthe discovery response, the first registrant also detects that it mustaccess the first resource via a user, and thus not an administrator.Based on the discovery response, a user of the registrant 118 may decideto setup an Amazon Prime account so that the registrant 118 can accessthe second resource (CSEBase>/<app01>/<temp_in_Philly).

It will be understood that FIGS. 6-12 and the description relatedthereto illustrate various embodiments of methods and apparatuses fordiscovering services and resources. In these figures, various steps oroperations are shown being performed by one or more nodes, devices,functions, or networks. It is understood that the nodes, devices,functions, or networks illustrated in these figures may representlogical entities in a communication network and may be implemented inthe form of software (e.g., computer-executable instructions) stored ina memory of, and executing on a processor of, a node of such network,which may comprise one of the general architectures described herein(e.g., see FIGS. 13A and 13B). That is, the methods illustrated in FIGS.6, 11, and 12 may be implemented in the form of software (e.g.,computer-executable instructions) stored in a memory of a network node,such as for example the node or computer system illustrated in FIGS. 13Cor 13D, which computer executable instructions, when executed by aprocessor of the node, perform the steps illustrated in the figures. Itis also understood that any transmitting and receiving steps illustratedin these figures may be performed by communication circuitry (e.g.,circuitry 34 or 97 of FIGS. 13C and 13D, respectively) of the node undercontrol of the processor of the node and the computer-executableinstructions (e.g., software) that it executes.

As described above, a user can define various permission based resourceor service discovery criteria, and corresponding results can be rendered(e.g., displayed) to the user. FIG. 14A shows an example graphical userinterface 1400 for configuring permission-based discovery requests. Asshown, a user can search based on targeted operations, targeted roles,targeted locations, a current subscription, a new subscription, or anyappropriate combination thereof. It will be understood that othercriteria may be displayed and selected as desired. After a user hasentered the desired search criteria, the user may actuate a searchoption 1401 so that the search is performed. After a search isperformed, a results interface, such as a results interface 1402 shownin FIG. 14B, may be rendered to the user. In accordance with theexample, the results interface 1402 includes discovery results 1404 athat are associated with granted permissions, and results 1404 b thatare associated with denied permissions. It will be understood that theresults can be alternatively classified as desired. Furthermore, theillustrated results 1404 a and 1404 b may include, for example andwithout limitation, a list of resources, services, operations, roles,locations, and subscriptions, which are associated with the discoverycriteria.

FIG. 13A is a diagram of an example machine-to-machine (M2M), Internetof Things (IoT), or Web of Things (WoT) communication system 10 in whichone or more disclosed embodiments may be implemented. Generally, M2Mtechnologies provide building blocks for the IoT/WoT, and any M2Mdevice, M2M gateway or M2M service platform may be a component of theIoT/WoT as well as an IoT/WoT service layer, etc. Any of the devices,functions, nodes, or networks illustrated in any of FIGS. 6-12 maycomprise a node of a communication system such as the one illustrated inFIGS. 13A-D.

As shown in FIG. 13A, the M2M/IoT/WoT communication system 10 includes acommunication network 12. The communication network 12 may be a fixednetwork (e.g., Ethernet, Fiber, ISDN, PLC, or the like) or a wirelessnetwork (e.g., WLAN, cellular, or the like) or a network ofheterogeneous networks. For example, the communication network 12 maycomprise of multiple access networks that provides content such asvoice, data, video, messaging, broadcast, or the like to multiple users.For example, the communication network 12 may employ one or more channelaccess methods, such as code division multiple access (CDMA), timedivision multiple access (TDMA), frequency division multiple access(FDMA), orthogonal FDMA (OFDMA), single-carrier FDMA (SC-FDMA), and thelike. Further, the communication network 12 may comprise other networkssuch as a core network, the Internet, a sensor network, an industrialcontrol network, a personal area network, a fused personal network, asatellite network, a home network, or an enterprise network for example.

As shown in FIG. 13A, the M2M/IoT/WoT communication system 10 mayinclude the Infrastructure Domain and the Field Domain. TheInfrastructure Domain refers to the network side of the end-to-end M2Mdeployment, and the Field Domain refers to the area networks, usuallybehind an M2M gateway. The Field Domain includes M2M gateways 14 andterminal devices 18. It will be appreciated that any number of M2Mgateway devices 14 and M2M terminal devices 18 may be included in theM2M/IoT/WoT communication system 10 as desired. Each of the M2M gatewaydevices 14 and M2M terminal devices 18 are configured to transmit andreceive signals via the communication network 12 or direct radio link.The M2M gateway device 14 allows wireless M2M devices (e.g. cellular andnon-cellular) as well as fixed network M2M devices (e.g., PLC) tocommunicate either through operator networks, such as the communicationnetwork 12 or direct radio link. For example, the M2M devices 18 maycollect data and send the data, via the communication network 12 ordirect radio link, to an M2M application 20 or M2M devices 18. The M2Mdevices 18 may also receive data from the M2M application 20 or an M2Mdevice 18. Further, data and signals may be sent to and received fromthe M2M application 20 via an M2M service layer 22, as described below.M2M devices 18 and gateways 14 may communicate via various networksincluding, cellular, WLAN, WPAN (e.g., Zigbee, 6LoWPAN, Bluetooth),direct radio link, and wireline for example. Exemplary M2M devicesinclude, but are not limited to, tablets, smart phones, medical devices,temperature and weather monitors, connected cars, smart meters, gameconsoles personal digital assistants, health and fitness monitors,lights, thermostats, appliances, garage doors and other actuator-baseddevices, security devices, and smart outlets.

Referring to FIG. 13B, the illustrated M2M service layer 22 in the fielddomain provides services for the M2M application 20, M2M gateway devices14, and M2M terminal devices 18 and the communication network 12. Itwill be understood that the M2M service layer 22 may communicate withany number of M2M applications, M2M gateway devices 14, M2M terminaldevices 18, and communication networks 12 as desired. The M2M servicelayer 22 may be implemented by one or more servers, computers, or thelike. The M2M service layer 22 provides service capabilities that applyto M2M terminal devices 18, M2M gateway devices 14 and M2M applications20. The functions of the M2M service layer 22 may be implemented in avariety of ways, for example as a web server, in the cellular corenetwork, in the cloud, etc.

Similar to the illustrated M2M service layer 22, there is the M2Mservice layer 22′ in the Infrastructure Domain. M2M service layer 22′provides services for the M2M application 20′ and the underlyingcommunication network 12′ in the infrastructure domain. M2M servicelayer 22′ also provides services for the M2M gateway devices 14 and M2Mterminal devices 18 in the field domain. It will be understood that theM2M service layer 22′ may communicate with any number of M2Mapplications, M2M gateway devices and M2M terminal devices. The M2Mservice layer 22′ may interact with a service layer by a differentservice provider. The M2M service layer 22′ may be implemented by one ormore servers, computers, virtual machines (e.g., cloud/compute/storagefarms, etc.) or the like.

Still Referring to FIG. 13B, the M2M service layer 22 and 22′ provide acore set of service delivery capabilities that diverse applications andverticals can leverage. These service capabilities enable M2Mapplications 20 and 20′ to interact with devices and perform functionssuch as data collection, data analysis, device management, security,billing, service/device discovery etc. Essentially, these servicecapabilities free the applications of the burden of implementing thesefunctionalities, thus simplifying application development and reducingcost and time to market. The service layer 22 and 22′ also enables M2Mapplications 20 and 20′ to communicate through various networks 12 and12′ in connection with the services that the service layer 22 and 22′provide.

The M2M applications 20 and 20′ may include applications in variousindustries such as, without limitation, transportation, health andwellness, connected home, energy management, asset tracking, andsecurity and surveillance. As mentioned above, the M2M service layer,running across the devices, gateways, and other servers of the system,supports functions such as, for example, data collection, devicemanagement, security, billing, location tracking/geofencing,device/service discovery, and legacy systems integration, and providesthese functions as services to the M2M applications 20 and 20′.

Permission-based resource or service discovery described herein may beimplemented as part of any service layer. Generally, a service layer(SL) defines a software middleware layer that supports value-addedservice capabilities through a set of application programming interfaces(APIs) and underlying networking interfaces. ETSI M2M's service layer isreferred to as the Service Capability Layer (SCL). The SCL may beimplemented in a variety of different nodes of the ETSI M2Marchitecture. For example, an instance of the service layer may beimplemented within an M2M device (where it is referred to as a deviceSCL (DSCL)), a gateway (where it is referred to as a gateway SCL (GSCL))and/or a network node (where it is referred to as a network SCL (NSCL)).The oneM2M service layer supports a set of Common Service Functions(CSFs) (i.e. service capabilities). An instantiation of a set of one ormore particular types of CSFs is referred to as a Common Services Entity(CSE), which can be hosted on different types of network nodes (e.g.infrastructure node, middle node, application-specific node). The ThirdGeneration Partnership Project (3GPP) has also defined an architecturefor machine-type communications (MTC). In that architecture, the servicelayer, and the service capabilities it provides, are implemented as partof a Service Capability Server (SCS). Whether embodied in a DSCL, GSCL,or NSCL of the ETSI M2M architecture, in a Service Capability Server(SCS) of the 3GPP MTC architecture, in a CSF or CSE of the oneM2Marchitecture, or in some other node of a network, an instance of theservice layer may be implemented in a logical entity (e.g., software,computer-executable instructions, and the like) executing either on oneor more standalone nodes in the network, including servers, computers,and other computing devices or nodes, or as part of one or more existingnodes. As an example, an instance of a service layer or componentthereof may be implemented in the form of software running on a networknode (e.g., server, computer, gateway, device, or the like) having thegeneral architecture illustrated in FIG. 13C or 13D described below.

Further, the methods and functionalities described herein may beimplemented as part of an M2M network that uses a Service OrientedArchitecture (SOA) and/or a resource-oriented architecture (ROA) toaccess services.

FIG. 14C is a block diagram of an example hardware/software architectureof a node of a network, such as one of the nodes, devices, functions, ornetworks illustrated in FIGS. 6-12 that may operate as an M2M server,gateway, device, or other node in an M2M network such as thatillustrated in FIGS. 13A and 13B. As shown in FIG. 13C, the node 30 mayinclude a processor 32, a transceiver 34, a transmit/receive element 36,a speaker/microphone 38, a keypad 40, a display/touchpad 42,non-removable memory 44, removable memory 46, a power source 48, aglobal positioning system (GPS) chipset 50, and other peripherals 52.For example, the display/touchpad/indicator(s) may render the exampleGUIs 1400 and 1402 described above. The node 30 may also includecommunication circuitry, such as a transceiver 34 and a transmit/receiveelement 36. It will be appreciated that the node 30 may include anysub-combination of the foregoing elements while remaining consistentwith an embodiment. This node may be a node that implements the methodsrelated to permission-based discovery described herein.

The processor 32 may be a general purpose processor, a special purposeprocessor, a conventional processor, a digital signal processor (DSP), aplurality of microprocessors, one or more microprocessors in associationwith a DSP core, a controller, a microcontroller, Application SpecificIntegrated Circuits (ASICs), Field Programmable Gate Array (FPGAs)circuits, any other type of integrated circuit (IC), a state machine,and the like. The processor 32 may perform signal coding, dataprocessing, power control, input/output processing, and/or any otherfunctionality that enables the Node 30 to operate in a wirelessenvironment. The processor 32 may be coupled to the transceiver 34,which may be coupled to the transmit/receive element 36. While FIG. 13Cdepicts the processor 32 and the transceiver 34 as separate components,it will be appreciated that the processor 32 and the transceiver 34 maybe integrated together in an electronic package or chip. The processor32 may perform application-layer programs (e.g., browsers) and/or radioaccess-layer (RAN) programs and/or communications. The processor 32 mayperform security operations such as authentication, security keyagreement, and/or cryptographic operations, such as at the access-layerand/or application layer for example.

As shown in FIG. 14C, the processor 32 is coupled to its communicationcircuitry (e.g., transceiver 34 and transmit/receive element 36). Theprocessor 32, through the execution of computer executable instructions,may control the communication circuitry in order to cause the node 30 tocommunicate with other nodes via the network to which it is connected.In particular, the processor 32 may control the communication circuitryin order to perform the transmitting and receiving steps describedherein (e.g., in FIGS. 6, 11, and 12) and in the claims. While FIG. 13Cdepicts the processor 32 and the transceiver 34 as separate components,it will be appreciated that the processor 32 and the transceiver 34 maybe integrated together in an electronic package or chip.

The transmit/receive element 36 may be configured to transmit signalsto, or receive signals from, other nodes, including M2M servers,gateways, devices, and the like. For example, in an embodiment, thetransmit/receive element 36 may be an antenna configured to transmitand/or receive RF signals. The transmit/receive element 36 may supportvarious networks and air interfaces, such as WLAN, WPAN, cellular, andthe like. In an embodiment, the transmit/receive element 36 may be anemitter/detector configured to transmit and/or receive IR, UV, orvisible light signals, for example. In yet another embodiment, thetransmit/receive element 36 may be configured to transmit and receiveboth RF and light signals. It will be appreciated that thetransmit/receive element 36 may be configured to transmit and/or receiveany combination of wireless or wired signals.

In addition, although the transmit/receive element 36 is depicted inFIG. 13C as a single element, the node 30 may include any number oftransmit/receive elements 36. More specifically, the node 30 may employMIMO technology. Thus, in an embodiment, the node 30 may include two ormore transmit/receive elements 36 (e.g., multiple antennas) fortransmitting and receiving wireless signals.

The transceiver 34 may be configured to modulate the signals that are tobe transmitted by the transmit/receive element 36 and to demodulate thesignals that are received by the transmit/receive element 36. As notedabove, the node 30 may have multi-mode capabilities. Thus, thetransceiver 34 may include multiple transceivers for enabling the node30 to communicate via multiple RATs, such as UTRA and IEEE 802.11, forexample.

The processor 32 may access information from, and store data in, anytype of suitable memory, such as the non-removable memory 44 and/or theremovable memory 46. The non-removable memory 44 may includerandom-access memory (RAM), read-only memory (ROM), a hard disk, or anyother type of memory storage device. The removable memory 46 may includea subscriber identity module (SIM) card, a memory stick, a securedigital (SD) memory card, and the like. In other embodiments, theprocessor 32 may access information from, and store data in, memory thatis not physically located on the node 30, such as on a server or a homecomputer. The processor 32 may be configured to control lightingpatterns, images, or colors on the display or indicators 42 in responseto whether the permission-based resource or service discovery in some ofthe embodiments described herein are successful or unsuccessful, orotherwise indicate the status of permission-based discovery. A graphicaluser interface, which may be shown on the display, may be layered on topof an API to allow a user to interactively establish and managepermission-based resource or service discovery described herein (e.g.,see FIGS. 14A and 14B). For example, as described above with referenceto FIG. 14A, a user can use the graphical user interface to configure agiven registrant to specify which permission-based filter criteria, suchas the criteria in Table 2 for example, should be included in apermission based-discovery request that is sent by the given registrant.Similarly, a user can use the graphical user interface to configure agiven registrant to specify which permission-based discovery parameters,such as the parameters listed in Table 3 for example, should be includedin a permission based-discovery request that is sent by the givenregistrant. By way of another example, the graphical user interfaceassociated with a given registrant (e.g., see FIG. 14B) can displaypermission-based discovery results, such as the response parameterslisted in Table 4 for example, that are contained in a given responsefrom a given CSE. Thus, based on the response, a user, via the userinterface, may select one or more resources or services such that theselected services or resources are accessed by the given registrant. Theselected resources or services may be resources or services that theregistrant has permission to access, as indicated by the discoveryresponse.

The processor 32 may receive power from the power source 48, and may beconfigured to distribute and/or control the power to the othercomponents in the node 30. The power source 48 may be any suitabledevice for powering the node 30. For example, the power source 48 mayinclude one or more dry cell batteries (e.g., nickel-cadmium (NiCd),nickel-zinc (NiZn), nickel metal hydride (NiMH), lithium-ion (Li-ion),etc.), solar cells, fuel cells, and the like.

The processor 32 may also be coupled to the GPS chipset 50, which isconfigured to provide location information (e.g., longitude andlatitude) regarding the current location of the node 30. It will beappreciated that the node 30 may acquire location information by way ofany suitable location-determination method while remaining consistentwith an embodiment.

The processor 32 may further be coupled to other peripherals 52, whichmay include one or more software and/or hardware modules that provideadditional features, functionality and/or wired or wirelessconnectivity. For example, the peripherals 52 may include anaccelerometer, an e-compass, a satellite transceiver, a sensor, adigital camera (for photographs or video), a universal serial bus (USB)port, a vibration device, a television transceiver, a hands freeheadset, a Bluetooth® module, a frequency modulated (FM) radio unit, adigital music player, a media player, a video game player module, anInternet browser, and the like.

FIG. 14D is a block diagram of an exemplary computing system 90 whichmay also be used to implement one or more nodes of a network, such asnodes, devices, functions, or networks illustrated in FIGS. 6-12, whichmay operate as an M2M server, gateway, device, or other node in an M2Mnetwork such as that illustrated in FIGS. 13A and 13B. Computing system90 may comprise a computer or server and may be controlled primarily bycomputer readable instructions, which may be in the form of software,wherever, or by whatever means such software is stored or accessed. Suchcomputer readable instructions may be executed within central processingunit (CPU) 91 to cause computing system 90 to do work. In many knownworkstations, servers, and personal computers, central processing unit91 is implemented by a single-chip CPU called a microprocessor. In othermachines, the central processing unit 91 may comprise multipleprocessors. Coprocessor 81 is an optional processor, distinct from mainCPU 91, which performs additional functions or assists CPU 91. CPU 91and/or coprocessor 81 may receive, generate, and process data related tothe disclosed systems and methods for discovery resources.

In operation, CPU 91 fetches, decodes, and executes instructions, andtransfers information to and from other resources via the computer'smain data-transfer path, system bus 80. Such a system bus connects thecomponents in computing system 90 and defines the medium for dataexchange. System bus 80 typically includes data lines for sending data,address lines for sending addresses, and control lines for sendinginterrupts and for operating the system bus. An example of such a systembus 80 is the PCI (Peripheral Component Interconnect) bus.

Memory devices coupled to system bus 80 include random access memory(RAM) 82 and read only memory (ROM) 93. Such memories include circuitrythat allows information to be stored and retrieved. ROMs 93 generallycontain stored data that cannot easily be modified. Data stored in RAM82 can be read or changed by CPU 91 or other hardware devices. Access toRAM 82 and/or ROM 93 may be controlled by memory controller 92. Memorycontroller 92 may provide an address translation function thattranslates virtual addresses into physical addresses as instructions areexecuted. Memory controller 92 may also provide a memory protectionfunction that isolates processes within the system and isolates systemprocesses from user processes. Thus, a program running in a first modecan access only memory mapped by its own process virtual address space;it cannot access memory within another process's virtual address spaceunless memory sharing between the processes has been set up.

In addition, computing system 90 may contain peripherals controller 83responsible for communicating instructions from CPU 91 to peripherals,such as printer 94, keyboard 84, mouse 95, and disk drive 85.

Display 86, which is controlled by display controller 96, is used todisplay visual output generated by computing system 90. Such visualoutput may include text, graphics, animated graphics, and video. Display86 may be implemented with a CRT-based video display, an LCD-basedflat-panel display, gas plasma-based flat-panel display, or atouch-panel. Display controller 96 includes electronic componentsrequired to generate a video signal that is sent to display 86. Agraphical user interface may be displayed by the display 86. Forexample, a user can use the graphical user interface to configure agiven registrant to specify which permission-based filter criteria, suchas the criteria in Table 2 for example, should be included in apermission based-discovery request that is sent by the given registrant.Similarly, a user can use the graphical user interface to configure agiven registrant to specify which permission-based discovery parameters,such as the parameters listed in Table 3 for example, should be includedin a permission based-discovery request that is sent by the givenregistrant. By way of another example, the graphic user interfaceassociated with a given registrant can display permission-baseddiscovery results, such as the response parameters listed in Table 4 forexample, that are contained in a given response from a given CSE. Thus,based on the response, a user, via the user interface, may select one ormore resources or services such that the select services are accessed bya given registrant. The selected resources or services may be resourcesor services that the registrant has permission to access, as indicatedby the discovery response.

Further, computing system 90 may contain communication circuitry, suchas for example a network adaptor 97 that may be used to connectcomputing system 90 to an external communications network, such asnetwork 12 of FIG. 13A and FIG. 13B, to enable the computing system 90to communicate with other nodes of the network. The communicationcircuitry, alone or in combination with the CPU 91, may be used toperform the transmitting and receiving steps described herein (e.g., inFIGS. 6, 11, and 12) and in the claims.

It will be understood that any of the methods and processes describedherein may be embodied in the form of computer executable instructions(i.e., program code) stored on a computer-readable storage medium whichinstructions, when executed by a machine, such as a computer, server,M2M terminal device, M2M gateway device, or the like, perform and/orimplement the systems, methods and processes described herein.Specifically, any of the steps, operations or functions described abovemay be implemented in the form of such computer executable instructions.Computer readable storage media include both volatile and nonvolatile,removable and non-removable media implemented in any method ortechnology for storage of information, but such computer readablestorage media do not include signals. Computer readable storage mediainclude, but are not limited to, RAM, ROM, EEPROM, flash memory or othermemory technology, CD-ROM, digital versatile disks (DVD) or otheroptical disk storage, magnetic cassettes, magnetic tape, magnetic diskstorage or other magnetic storage devices, or any other physical mediumwhich can be used to store the desired information and which can beaccessed by a computer.

In describing preferred embodiments of the subject matter of the presentdisclosure, as illustrated in the Figures, specific terminology isemployed for the sake of clarity. The claimed subject matter, however,is not intended to be limited to the specific terminology so selected,and it is to be understood that each specific element includes alltechnical equivalents that operate in a similar manner to accomplish asimilar purpose.

This written description uses examples to disclose the invention,including the best mode, and also to enable any person skilled in theart to practice the invention, including making and using any devices orsystems and performing any incorporated methods. The patentable scope ofthe invention is defined by the claims, and may include other examplesthat occur to those skilled in the art. Such other examples are intendedto be within the scope of the claims if they have structural elementsthat do not differ from the literal language of the claims, or if theyinclude equivalent structural elements with insubstantial differencesfrom the literal languages of the claims.

What is claimed:
 1. A method performed by a network node that hosts aservice layer and that communicates with a registrant, the methodcomprising: receiving a discovery request, from the registrant, for oneor more resources, the discovery request including a parameter thatspecifies one or more operations that the registrant intends to performon the discovered resources, wherein the parameter comprises anindication of permission-based filter criteria; based on the intendedoperations specified in the discovery request, determining whether oneor more resources at the service layer have privileges defined thatpermit the registrant to perform the intended operations; and sending adiscovery response to the registrant, wherein the discovery responseincludes a list of identifiers of one or more discovered resources thatthe registrant has privileges to perform the intended operations upon.2. The method as recited in claim 1, wherein the parameter comprises anindication of at least one of an operation that the registrant intendsto perform on the resource, a role that the registrant intends to assumeif the registrant accesses the resource, a location at which theregistrant intends to access the resource, and a subscription plan thatthe registrant intends to use if the registrant accesses the resource.3. The method as recited in claim 1, the method further comprising: whenthe one or more resources do not satisfy the discovery request, sendingat least one resource to the registrant such that the registrant canobtain permission to access the at least one resource.
 4. The method asrecited in claim 1, the method further comprising: when the one or moreresources satisfy the discovery request, sending the one or moreresources to the registrant.
 5. The method as recited in claim 1,wherein one of a plurality of permission-based discovery responseparameters indicates that the select one of the one or more resources 1)satisfies the permission based filter criteria and 2) cannot be accessedby the registrant due to a lack of permissions.
 6. The method as recitedin claim 5, wherein one of the permission-based discovery responseparameters indicates an operation that the registrant is permitted toperform on the select one of the one or more resources.
 7. The method asrecited in claim 5, wherein one of the permission-based discoveryresponse parameters indicates a role that the registrant is permitted toassume to a select one of the one or more resources.
 8. The method asrecited in claim 5, wherein one of the permission-based discoveryresponse parameters indicates a location from which the registrant ispermitted to access a select one of the one or more resources.
 9. Themethod as recited in claim 5, wherein one of the permission-baseddiscovery response parameters indicates a subscription plan that isrequired in order to access a select one of the one or more resources.10. The method as recited in claim 1, wherein the registrant is anapplication entity or a common services entity.
 11. The method asrecited in claim 1, wherein the service layer is a common servicesentity.
 12. The method as recited in claim 1, wherein the registrant isconfigured, via a user interface, such that the parameter is specifiedby a user of the registrant.
 13. A network node that hosts a servicelayer, the network node comprising communication circuitry such that thenode is coupled with a network via its communication circuitry, whereinthe network node further comprises: a processor and a memory, the memorycontaining computer-executable instructions that when executed by theprocessor, cause the processor to perform operations comprising:receiving a discovery request, from a registrant, for one or moreresources, the discovery request including a parameter that specifiesone or more operations that the registrant intends to perform on thediscovered resources, wherein the parameter comprises an indication ofpermission-based filter criteria; based on the intended operationsspecified in the discovery request, determining whether one or moreresources at the service layer have privileges defined that permit theregistrant to perform the intended operations; and sending a discoveryresponse to the registrant, wherein the discovery response includes alist of identifiers of one or more discovered resources that theregistrant has privileges to perform the intended operations upon. 14.The network node as recited in claim 13, wherein the parameter comprisesan indication of an operation that the registrant intends to perform onthe resource, a role that the registrant intends to assume if theregistrant accesses the resource, a location at which the registrantintends to access the resource, and a subscription plan that theregistrant intends to use if the registrant accesses the resource. 15.The network node as recited in claim 13 the operations furthercomprising: when the one or more resources do not satisfy the discoveryrequest, sending at least one resource to the registrant such that theregistrant can obtain permission to access the at least one resource.16. The network node as recited in claim 13, the operations furthercomprising: when the one or more resources satisfy the discoveryrequest, sending the one or more resources to the registrant.
 17. Thenetwork node as recited in claim 13, wherein one of a plurality ofpermission-based discovery response parameters indicates that a selectone of the one or more resources 1) satisfies the permission-basedfilter criteria and 2) cannot be accessed by the registrant due to alack of permissions.
 18. The network node as recited in claim 17,wherein one of the permission-based discovery response parametersindicates an operation that the registrant is permitted to perform onthe select one of the one or more resources.
 19. The network node asrecited in claim 17, wherein one of the permission-based discoveryresponse parameters indicates a role that the registrant is permitted toassume to the select one of the one or more resources.
 20. The networknode as recited in claim 17, wherein one of the permission-baseddiscovery response parameters indicates a location from which theregistrant is permitted access the select one of the one or moreresources.
 21. The network node as recited in claim 17, wherein one ofthe permission-based discovery response parameters indicates asubscription plan that is required in order to access the select one ofthe one or more resources.